9 Aug 2019

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Social LikeBox & Feed

The plugin Social LikeBox & Feed was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a cross-site request forgery (CRSF)/cross-site scripting (XSS) vulnerability.

The plugin registers its admin page to be accessible by Administrators: [Read more]